CMMC Is Finalized. How Will It Impact State and Local Government?

What is Cybersecurity Maturity Model Certification (CMMC) and why should state and local governments care about it?

In August 2020, I interviewed cybersecurity expert Taiye Lambo in a blog called “Should State and Local Governments Obtain Cybersecurity Maturity Model Certification?”

Today, we have some updates and important steps taken by the federal government that all governments should be aware of and I turned to Mr. Lambo for his insights on recent developments.

As reported by the National Law Review: “DoD’s recent publication of the second of two companion rules makes CMMC no longer a mere policy aspiration but a binding legal requirement in future (and potentially existing) defense contracts. The vast majority of DoD contractors and subcontractors must implement and soon be prepared to certify compliance with specified government cybersecurity standards, or risk being shut out of the defense supply chain once the program’s new contract and solicitation requirements begin phasing in on November 10, 2025.”

You can read the CMMC Final Rule here: https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.


I really like the summary provided by Michael McLaughlin in his LinkedIn post on this same topic:

“The wait is over: the government has finalized the CMMC rule, making robust cybersecurity a non-negotiable requirement for nearly every defense contractor.

“The new CMMC framework is now a contractual gatekeeper for United States Department of War business. All contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)—regardless of size or sector—must comply, with few exceptions.

“What’s changing?

“CMMC introduces a three-level system for cybersecurity controls and assessments. Depending on the sensitivity of the information you handle, you’ll face either self-assessment, third-party review, or a government-led audit.

“There’s no grace period: if you’re not certified at award, you’re out of the running.

“Key steps contractors must take now:

• Assess your current cybersecurity posture against the CMMC requirements for your anticipated contract level.
• Close compliance gaps and maintain comprehensive documentation.
• Prepare for third-party or government assessments if you handle CUI.
• Ensure your subcontractors are equally compliant.
• Register and keep your CMMC status updated in SPRS.

“The risks of non-compliance are real: contract ineligibility, breach, regulatory penalties, and business disruption.

“The CMMC final rule is a fundamental shift for the military industrial base and an important step for national security.

“Read the latest from the cybersecurity team at Buchanan Ingersoll & Rooney PC here: https://lnkd.in/esb5gzvA.”

To dive deeper into this topic, I once again interviewed Taiye Lambo, who is an expert on the CMMC. The focus on the discussion is on how this topic impacts state and local governments and the wider SLED community.

Dan Lohrmann (DL): With current federal funding cuts, how can state and local governments, as well as tribes and schools, leverage DoD’s [Department of Defense's] funding increase to mature their cybersecurity programs?

Taiye Lambo (TL): I want to keep my responses in bullet form to provide maximum benefit and offer additional resources:

• Federal/state cyber funds (SLCGP, MS-ISAC) are tightening, but SLTTs can seek partnerships. [CISA SLCGP]
• DoD requested over $64 billion in FY 25 for IT/cyber — align tooling, training, exercises.
• National Guard Title 32 cyber units support SLTTs (vulnerability assessments, incident response).
• Even with cuts, SLCGP funds can prioritize 800-171 controls. [CISA SLCGP]
• Maintain intel-sharing via JCDC and MS-ISAC. [JCDC][MS-ISAC]
  

DL: What are the direct or indirect implications of CMMC 2.0 requirements on the SLTT/SLED sectors?  

TL:

• CMMC is mandatory for DoD contractors (effective Dec. 16, 2024, phased Nov. 10, 2025). [CMMC 2.0 Rule]
• Even without DoD work, primes/OEMs may flow down CMMC-like clauses. [CMMC 2.0 Rule]
• Provides a clear control baseline mapping to NIST SP 800-171 Rev. 3. [NIST SP 800-171 Rev. 3]

DL: What does voluntary adoption of CMMC 2.0 requirements look like for the SLTT/SLED sectors?  

TL:

• Adopt 800-171 Rev. 3 controls without formal certification. [NIST SP 800-171 Rev. 3]
• Stage adoption with remaining SLCGP funding. [CISA SLCGP]
• Use GovRAMP to validate cloud vendors. [GovRAMP]/[FedRAMP]

DL: How can the SLTT/SLED sectors leverage CMMC 2.0 to address cybersecurity risks in their supply chain?  

TL:

• Require vendors to align with NIST 800-171 Rev. 3 and provide evidence. [NIST SP 800-171 Rev. 3]
• For high-impact systems, consider NIST 800-172-style protections. [NIST SP 800-171 Rev. 3]
• Prefer GovRAMP/FedRAMP-authorized services. [StateRAMP][FedRAMP]
• Mirror DoD-style contract clauses for vendor accountability. [CMMC 2.0 Rule]

DL: How does the current AI race combined with the CMMC 2.0 requirements impact cyber resilience for the SLTT/SLED sectors?  

TL:

• Federal AI EO 14110 (rescinded 2025) and the U.S. Office of Management and Budget guidance still shape expectations. [AI EO 14110]
• Apply 800-171 controls to AI workloads (data, access, logging, IR). [NIST SP 800-171 Rev. 3]
• Demand AI vendor transparency, align contracts with CMMC obligations. [CMMC 2.0 Rule]
• Use MS-ISAC and JCDC for AI-related intel and exercises. [MS-ISAC][JCDC]

DL: What other resources would be helpful for our audience?

TL:

• CISA. State and Local Cybersecurity Grant Program (SLCGP). Retrieved from https://www.cisa.gov/state-and-local-cybersecurity-grant-program
• CISA. Joint Cyber Defense Collaborative (JCDC). Retrieved from https://www.cisa.gov/jcdc
• Center for Internet Security. (n.d.). Multi-State Information Sharing and Analysis Center (MS-ISAC). Retrieved from https://www.cisecurity.org/ms-isac
• Federal Register. (2024, December 26). Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. Retrieved from https://www.federalregister.gov/documents/2024/12/26/2024-28226/cybersecurity-maturity-model-certification-cmmc-20-program
• NIST. (2024). NIST Special Publication 800-171 Revision 3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Retrieved from https://csrc.nist.gov/pubs/sp/800/171/r3/final
• FedRAMP. (n.d.). Federal Risk and Authorization Management Program (FedRAMP). Retrieved from https://www.fedramp.gov/
• The White House. (2023, October 30). Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (EO 14110). Retrieved from https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/